[Samba] SID of member server in Samba domain (smbldap_search_domain_info: NT_STATUS_UNSUCCESSFUL)

Rowland Penny rowlandpenny at googlemail.com
Mon Nov 3 11:31:25 MST 2014


On 03/11/14 17:39, MI wrote:
>
>> For a domain controller (PDC or BDC), the localsid should be the same 
>> as the domainsid.     For a member server, the local sid will be 
>> unique to that machine, so what you are seeing is normal.
>
> Well, that is what I originally had. A different local SID for the 
> member server, and no error. Everything looked fine, except that I 
> couldn't authenticate.
>
>> I think it is a little funny that "net getlocalsid" refers to the 
>> machine name of the local computer as a domain but  that is what I 
>> see too.
>>
>> The only time you would need to change the localsid is if you where 
>> changing a member server into a domain controller.
>>
>> I find samba  member servers to be more problems than domain 
>> controllers.    On my member servers  I have LDAP running for the 
>> unix account info but not samba accounts.     The domain controllers 
>> use LDAP for both unix and samba account info. I don't use winbind on 
>> the member servers.      If I look at file permissions in windows on 
>> files I own, it shows them as owned my UNIX\myname not 
>> MYDOMAIN\myname.        So samba doesn't recognize that the windows 
>> users is a member of the domain but at least it maps the samba user 
>> to the LDAP unix user when granting file access.
>
> I haven't configured winbind either. Nor idmap. Neither on the PDC, 
> nor on the member server. Maybe I should?
>
>
>>     (It makes changing  permissions via windows difficult, but users 
>> can also ssh to the server.)
>>
>
> Your users can SSH? You are lucky to have very special users. Most of 
> mine can't even open a command prompt to type "ping ..."  into it, 
> without patient hand-holding ...
>
>
> It must be possible to have a member server while still using the LDAP 
> server which is on the PDC. In the manual, I found explanations for a 
> BDC, but not for a plain file server.
>
> If someone has this working, please share...
>
> MI
>
>>
>> On 11/02/14 12:00, MI wrote:
>>> I have a domain with Samba 3 acting as PDC, and using LDAP (passdb 
>>> backend = ldapsam).
>>>
>>> I now wanted to add a second Samba 3 machine as a simple file 
>>> server. I get errors with getdomainsid and getlocalsid, so there is 
>>> obviously still something wrong with my config.
>>>
>>> The PDC runs Samba 3.5.6 on Debian Squeeze. Sid queries return:
>>>
>>>    # net getdomainsid
>>>    SID for local machine MY_PDC_HOST is: 
>>> S-1-5-21-4174501313-1202754954-1084205825
>>>    SID for domain MY_DOMAIN is: 
>>> S-1-5-21-4174501313-1202754954-1084205825
>>>
>>>    # net getlocalsid
>>>    SID for domain MY_PDC_HOST is: 
>>> S-1-5-21-4174501313-1202754954-1084205825
>>>
>>> (So, all SIDs are the same. And there is no error)
>>>
>>>
>>> The other server runs Samba 3.6.6 on Debian stable ("Wheezy"). At 
>>> first, it wouldn't let me access it's shares, and SID queries returned:
>>>
>>>    # net getdomainsid
>>>    SID for local machine OTHER is: 
>>> S-1-5-21-2241737573-1899521008-914752976
>>>    SID for domain MY_DOMAIN is: 
>>> S-1-5-21-4174501313-1202754954-1084205825
>>>
>>>    # net getlocalsid
>>>    SID for domain OTHER is: S-1-5-21-2241737573-1899521008-914752976
>>>
>>> But the log file complained about mismatched domain SIDs, and 
>>> wouldn't let me authenticate:
>>>
>>>    auth/server_info.c:386(samu_to_SamInfo3)
>>>       The primary group domain 
>>> sid(S-1-5-21-2241737573-1899521008-914752976-513)
>>>    does not match the domain 
>>> sid(S-1-5-21-4174501313-1202754954-1084205825) for
>>>    mi(S-1-5-21-4174501313-1202754954-1084205825-3000)
>>>
>>>    auth/check_samsec.c:492(check_sam_security)
>>>       check_sam_security: make_server_info_sam() failed with 
>>> 'NT_STATUS_UNSUCCESSFUL'
>>>
>>>    auth/auth.c:319(check_ntlm_password)
>>>       check_ntlm_password:  Authentication for user [mi] -> [mi] 
>>> FAILED with error
>>>    NT_STATUS_UNSUCCESSFUL
>>>
>>>
>>>
>>> So I tried to change the SID with
>>>
>>>    # net setlocalsid S-1-5-21-4174501313-1202754954-1084205825
>>>
>>>
>>> Now, I can access the share but SID queries give errors:
>>>
>>>    # net getdomainsid
>>>    *smbldap_search_domain_info: Adding domain info for OTHER failed 
>>> with
>>>    NT_STATUS_UNSUCCESSFUL*
>>>    SID for local machine OTHER is: 
>>> S-1-5-21-4174501313-1202754954-1084205825
>>>    SID for domain MY_DOMAIN is: 
>>> S-1-5-21-4174501313-1202754954-1084205825
>>>
>>>    # net getlocalsid
>>>    *smbldap_search_domain_info: Adding domain info for OTHER failed 
>>> with
>>>    NT_STATUS_UNSUCCESSFUL*
>>>    SID for domain OTHER is: S-1-5-21-4174501313-1202754954-1084205825
>>>
>>>
>>> Is it correct to have the same SID for a machine in the domain as 
>>> for the domain itself, or shouldn't that only be the case on the PDC?
>>>
>>> Where do I start looking?
>>>
>>>
>>
>
>
Hi, it has been sometime since I setup a member server against a samba 
NT4 PDC, but from memory, it is just like an AD member server, your 
users are stored on the PDC and all authentication comes from the PDC. 
It is a bit more simplistic than AD and your domain users need to be in 
sync with your Unix users unlike AD, where the users only exist in AD.

For the member server setup, have a look here:

http://pig.made-it.com/samba-ldap-member.html

Rowland




More information about the samba mailing list